1

错误描述

x.cmp.net/doc.pdf我的集群使用 Istio 和部署在网格中的服务 (java) 之一需要使用 http 和 443 端口连接到外部资源。此外部资源使用带有主题的受信任通配符证书 (DigiCert)*.cmp.netcmp.net. 当我尝试使用 openssl 验证(从应用程序容器)ssl 证书时,我正在获取Google 证书(?? istio 证书?):

opt$ **openssl s_client -showcerts -connect x.cmp.net:443**
CONNECTED(00000003)
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1
depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
verify return:1
depth=0 CN = *.google.com
verify return:1
---
Certificate chain
 0 s:CN = *.google.com

应用程序是用java编写的,当应用程序尝试下载资源时:

No subject alternative DNS name matching shipjobmt.ista.net found.

我的配置:

apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: internalnet
  namespace: ppct
spec:
  hosts:
    - x.cmp.net
    - y.cmp.net
    - z.cmp.net
  exportTo:
    - "."
  ports:
    - number: 443
      name: https
      protocol: HTTPS
  location: MESH_EXTERNAL
  resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: xinternalnet
  namespace: ppct
spec:
  host: x.cmp.net
  trafficPolicy:
    tls:
      mode: SIMPLE
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: yinternalnet
  namespace: ppct
spec:
  host: y.cmp.net
  trafficPolicy:
    tls:
      mode: SIMPLE
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: zinternalnet
  namespace: ppct
spec:
  host: z.cmp.net
  trafficPolicy:
    tls:
      mode: SIMPLE

我也有阻塞模式:

kubectl get istiooperator installed-state -n istio-system -o jsonpath='{.spec.meshConfig.outboundTrafficPolicy.mode}'
REGISTRY_ONLY

版本

`istioctl version`
client version: 1.11.0
control plane version: 1.11.0
data plane version: 1.11.0 (65 proxies)


`kubectl version --short`
Client Version: v1.19.9
Server Version: v1.19.9

附加信息

没有反应

4

1 回答 1

2

您的问题似乎与双 TLS 有关(您可以在此处阅读更多内容)。有两种可能的解决方案:

解决方案 1

ServiceEntry将协议定义为 HTTP 并重定向到 443

spec:
  hosts:
  - ...
  ports:
  - number: 80
    name: http
    protocol: HTTP
    targetPort: 443

解决方案 2

为传出流量禁用 TLSDestinationRule

trafficPolicy:
  tls:
    mode: DISABLE
于 2021-09-17T09:50:59.990 回答